emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

udp_checksum(): Clamp the value of the UDP packet header length.

Browse Source 
Without this change, it is possible for malicious UDP packets to
make the function read past the end of a buffer.

If this was ever a possibility in ndhc, the previous commit fixed
that issue, but there is no reason for udp_checksum() to have
such a subtle precondition to proper use.  This change also makes
it easier to audit correctness.
This commit is contained in:
Nicholas J. Kain 2015-01-06 07:07:08 -05:00
parent 6548b5ce54
commit 9f87bd8b30
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/dhcp.c
View File

@ -132,7 +132,10 @@ static int udp_checksum(struct ip_udp_dhcp_packet *packet)
.protocol = packet->ip.protocol,
.tot_len = packet->udp.len,
};
uint16_t udpcs = net_checksum161c(&packet->udp, ntohs(packet->udp.len));
uint16_t udpcs =
net_checksum161c(&packet->udp,
min_size_t(ntohs(packet->udp.len),
sizeof *packet - sizeof(struct iphdr)));
uint16_t hdrcs = net_checksum161c(&ph, sizeof ph);
uint16_t cs = net_checksum161c_add(udpcs, hdrcs);
return cs == 0;